Article
By Chris Randles
Editor's Note: With ZENworks, there is often more than one way to accomplish an objective. In this case, another option would be to use the same technique to change the administrator's password, as shown in this Microsoft article.
This tip is for MS Windows Administrators in a ZENworks for Desktops environment.
How to give full local administrator rights to a local workstation account when the local Administrator's password has been lost, and without having access to an Administrative-level Domain account, a ZENworks dynamic local user policy (e.g. a domain workstation), or a third party utility (such as ERD commander).
Solution
- Create a ZENworks application object using ConsoleOne in the location of choice (in this case the object name chosen was 'Elevate'. Make sure your ConsoleOne has the correct version of the ZENworks for Desktops snapins for the version of ZENworks being used in your environment.
- Enter the information shown in the screenshot to the 'Run Options – Application' tab.
- On the 'Run Options – Environment' tab, set the Execution security level to 'Run as unsecure system user'.
- All other settings can be left at default.
- Associate the package to the Novell account you will be using from the problem workstation.
- At the problem workstation, login to Novell and from the Novell Application Launcher 'launch' the application created. This will add the local windows user account to the local Administrators group.
- Typing 'net localgroup administrators' at a DOS prompt should now show the logged in user as being a member of the Administrators group. (Note that the account will not have administrative access until a logout and login has been performed.)
- Perform a logout on the workstation, then login again using the same local Windows account used previously.
- The Windows account will now have full rights to the workstation and this will allow the Administrator's account password to be changed.
- If you do not want the current logged-in Windows account to retain Administrative access to the local workstation you will need to remove that account from the Administrators group. If desired, you could create another ZENworks application which will remove the currently logged-in user from the Administrators group.

Click to enlarge.

Click to enlarge.
Environmental Factors and Pre-Requisites
- The target workstations must have a working Novell client and ZENworks Agent installed.
- This solution should work on any Windows2000 or WindowsXP workstation.
- This solution should work on any workstation where the Novell Client is v4.83 > 4.9x
- This solution should work in any ZENworks for Desktops environment from v3.x > v7.x and where the installed ZENworks agent is a correct version match for the environment.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.
Related Articles
- Standardize Fonts using AdminStudio ZENworks Edition and a Force Run Object
- Cool Tip for Launching NALWIN in Various Modes
- Restricting the ZENworks Workstation Users from Uninstalling or Modifying the ZENworks Configuration Management
- Faronics Deep Freeze Snapin for ConsoleOne available at no charge
- Roaming Profile for Microsoft Vista in ZENworks 10 Configuration Management
User Comments
Technician Local Administrator Rights
Submitted by paulpf on 4 January 2008 - 11:05am.
Another way is to make a User Policy w/ZENworks Dynamic Local User for a technician account with Administrator Rights and check Volatile. This will allow the technician to log in Locally with full rights, fix most anything locally (even modify local user rights) and log off w/o leaving behind the technicians account.
- Be the first to comment! To leave a comment you need to Login or Register
Two more ways
Submitted by msmith on 10 January 2008 - 9:17am.
1) Remote Execute - runs as localsystem and gives permissions to either perform the commands above or a net user command to change the administrator's password
2) Run the net user command in the same way as above - great for bulk password changing of your local administrator passwords if you think it has been leaked...
- Be the first to comment! To leave a comment you need to Login or Register



2